github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

fix: explicitly enable native role mappings for Mock IDP (#184017)

Browse source 
## Summary

The most recent versions of the Serverless Elasticsearch disable native
role mappings by default and this conflicts with the Mock IDP
package/plugin that we use for local development and tests. To unblock
ES snapshot promotion I explicitly enable native role mappings for Mock
IDP only, but eventually we should consider switching to a file-based
role mapping (`config/operator/settings.json`, I didn't manage to make
it work in a reasonable amount of time).

```bash
$ cat config/operator/settings.json
{
  "metadata": {
    "version": "%s",
    "compatibility": "8.4.0"
  },
  "state": {
    "role_mappings": {
      "mock-idp-mapping": {
        "enabled": true,
        "role_templates": [
          {
            "format": "json",
            "template": "{\"source\":\"{{#tojson}}groups{{/tojson}}\"}"
          }
        ],
        "rules": {
          "all": [
            {
              "field": {
                "realm.name": "cloud-saml-kibana"
              }
            }
          ]
        }
      }
    }
  }
}
```

/cc @albertzaharovits
This commit is contained in:
Aleh Zasypkin 2024-05-22 17:38:54 +02:00 committed by GitHub
parent cc5a2bd7e5
commit b0c0e4d4d0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
packages/kbn-es/src/utils/docker.test.ts
View file

@ -438,7 +438,6 @@ describe('resolveEsArgs()', () => {
kibanaUrl: 'https://localhost:5601/',
});
expect(esArgs).toHaveLength(26);
expect(esArgs).toMatchInlineSnapshot(`
Array [
"--env",
@ -448,6 +447,8 @@ describe('resolveEsArgs()', () => {
"--env",
"xpack.security.http.ssl.verification_mode=certificate",
"--env",
"xpack.security.authc.native_role_mappings.enabled=true",
"--env",
"xpack.security.authc.realms.saml.cloud-saml-kibana.order=0",
"--env",
"xpack.security.authc.realms.saml.cloud-saml-kibana.idp.metadata.path=/usr/share/elasticsearch/config/secrets/idp_metadata.xml",
@ -477,7 +478,6 @@ describe('resolveEsArgs()', () => {
kibanaUrl: 'https://localhost:5601/',
});
expect(esArgs).toHaveLength(8);
expect(esArgs).toMatchInlineSnapshot(`
Array [
"--env",

4
packages/kbn-es/src/utils/docker.ts
View file

@ -486,6 +486,10 @@ export function resolveEsArgs(
) {
const trimTrailingSlash = (url: string) => (url.endsWith('/') ? url.slice(0, -1) : url);
// The mock IDP setup requires a custom role mapping, but since native role mappings are disabled by default in
// Serverless, we have to re-enable them explicitly here.
esArgs.set('xpack.security.authc.native_role_mappings.enabled', 'true');
esArgs.set(`xpack.security.authc.realms.saml.${MOCK_IDP_REALM_NAME}.order`, '0');
esArgs.set(
`xpack.security.authc.realms.saml.${MOCK_IDP_REALM_NAME}.idp.metadata.path`,